9 Managing Oracle Fusion Middleware Security on IBM WebSphere

This chapter contains information about managing Oracle Fusion Middleware security on IBM WebSphere, and it explains the particularities of some Oracle Platform Security Services (OPSS) features on that platform.

OPSS is a security platform that can be used to secure applications deployed in any of the supported platforms or in standalone applications.

On IBM WebSphere, OPSS scripts have a slightly different syntax (than that used on the WebLogic platform): script names are prefixed with the string "Opss." Unless explicitly stated, arguments remain identical to the WebLogic case.

9.1.1 Configuring a Registry

The configuration of an LDAP registry on IBM WebSphere is accomplished with the command configureIdentityStore, an online administration command with the following syntax:

wsadmin> Opss.configureIdentityStore(propsFileLoc="fileLocation")

propsFileLoc specifies the location of the file that contains the property settings for the identity LDAP identity store. This command modifies the configuration file jps-config.xml to include the specifications in the property file.

After running Opss.configurIdentityStore, the server must be restarted.

The following properties are required and must be specified in property settings file:

ldap.host

ldap.port

admin.id

admin.pass

idstore.type

user.search.bases

user.id.map

group.id.map

group.member.id.map

group.search.bases

primary.admin.id

The following list includes optional properties specific to a IBM WebSphere registry:

group.filter

user.filter

The following sample illustrates the property settings for an Oracle Directory Server Enterprise Edition identity store:

user.search.bases=cn=Users,dc=us,dc=oracle,dc=com
group.search.bases=cn=Groups,dc=us,dc=oracle,dc=com
subscriber.name=dc=us,dc=oracle,dc=com
user.selected.create.base=cn=Users,dc=us,dc=oracle,dc=com
group.selected.create.base=cn=Users,dc=us,dc=oracle,dc=com
ldap.host=myhost.example.com
ldap.port=3060
# admin.id must be the full DN of the user in the LDAP
admin.id=cn=orcladmin
admin.pass=welcome1
user.filter=(&(uid=%v)(objectclass=person))
group.filter=(&(cn=%v)(objectclass=groupofuniquenames))
user.id.map=*:uid
group.id.map=*:cn
group.member.id.map=groupofuniquenames:uniquemember
# In case of type=ACTIVE_DIRECTORY, the primary.admin.id indicates a user
# who has admin permissions in the LDAP,and it must be the name of the user
# for example, for user "cn=tom", the primary.admin.id is "tom"
# for any other type, the primary.admin.id is wasadmin or orcladmin
primary.admin.id=orcladmin
# optional, default to "OID"
idstore.type=IPLANET
# other, optional identity store properties can be configured in this file.
username.attr=cn
# if ssl is set to true, SSL has to be set as explained in the procedure below
# before executing the command
ssl=false

The list of valid identity store types is the following:

OID

IPLANET

OVD

ACTIVE_DIRECTORY

OPEN_LDAP

If ssl was set to true, before invoking the command, proceed as follows:

In the WAS console, navigate to Security > Global security.

In User account repository, select Available realm definitions, and then Standalone LDAP registry; then click Configure.

9.1.2 Seeding a Registry

Some Oracle Fusion Middleware components require that certain users and groups be present in the IBM WebSphere identity store. To ensure that this requirement is met, use any tools to seed the required data; in particular, you can use an LDIF file and the LDAP utility bulkload to load users and groups into the identity store. Here is a sample LDIF file:

9.2 Recommendation for Multiple-Node Environments

In environments where several server instances are distributed across multiple machines, it is highly recommended that the OPSS security store be LDAP- or DB-based configured in the dmgr server.

If, however, a file- based store is used in a multiple-node environment (not recommended), any changes to the store should be performed in the dmgr server so that those changes can be propagated to all other servers in the environment. The data on servers other than dmgr is refreshed based on caching configuration.

9.3 Configuring the Trust Association Interceptor

HTTP clients can pass identity information to WebSphere Application Server using the Trust Association Interceptor (TAI). OPSS uses TAI as the asserter that intercepts calls coming into WebSphere cells to support identity propagation across containers and cells.

9.6 Reassociating Policies with reassociateSecurityStore

For complete details about the scrip reassociateSecurityStore to reassociate the policy store, see Oracle Fusion Middleware Application Security Guide. Since this script is likely to run for some time, to avoid exceptions, one may need to reset the default connection to the server timeout to an appropriate larger value.

To reset the default connection timeout, proceed as follows:

Open the file soap.client.props, located in the properties subdirectory of the profile_root directory, for edit.

In that file, modify the value of the property com.ibm.SOAP.requestTimeout to a desire value, such as 1200 (seconds).

9.11 About the File web.xml

The element <auth-method> in a web.xml file is WebLogic-specific and not supported on IBM WebSphere; if found, it must be replaced with the equivalent functionality supported for IBM WebSphere's web.xml files.

9.12 Executing Common Audit Framework wsadmin Commands

To run audit commands, provided by Oracle Fusion Middleware's Common Audit Framework, you need to do the following:

In the New page, enter an Alias, and set User ID and Password to the user name and password of the data base user. Click OK to go back to the JAAS-J2C Authorization page.

In that page, if necessary, expand the Message box and click Save.

Use the Previous button on your browser to go back to the page in step 4 above. To be able to see the authentication alias you entered, refresh the page by clicking the Previous and Next buttons on your browser.

Set Component-Managed Authentication Alias and Container-Managed Authenticaion Alias to the authentication alias you entered (which should now show on the pull-down lists), and Mapping-Configuration Alias to DefaultPrincipalMapping. Click Next.

Click Finish and then Save, to save the specified data source.

To validate the newly created data source, navigate to the DataSource page and click Test Connection.

Note:

Some of the steps in the preceding procedure can be accomplished in pages not referenced in the procedure; examples of these pages are the Creating a JDBC Provider and Creating J2C Authentication Data pages.

9.15 Executing Keystore Service Commands

This section provides information about running Keystore Service commands that is specific to IBM WebSphere.

permission Option Requires Quotes

Certain Keystore Service commands include the permission option. When running commands containing this option on IBM WebSphere, enclose the permission option's value in single quotes (''). For example:

9.16 Setting Parameters for Custom Audit Service Registration

You can perform custom registration of your application to the audit service by configuring OPSS deployment descriptors, as explained in Register Application with the Registration Service in the Oracle Fusion Middleware Application Security Guide. On IBM WebSphere you set these registration parameters in the opss-application.xml file.

Scripting on this page enhances content navigation, but does not change the content in any way.